Companies often end up investing huge amounts in creating logical and network security perimeters and at times physical security is relegated to the background. According to New York Post, A civilian official of the NYPD’s pension fund has been charged with taking computer data that could be used to steal the identities of 80,000 current and retired cops. According to news reports, Bonelli bypassed the security guard on duty by flashing an expired ID card. His name was also not on a list of authorized personnel.
Anthony Bonelli allegedly got into a secret backup-data warehouse on Staten Island last month and walked out with eight tapes packed with Social Security numbers, direct-deposit information for bank accounts, and other sensitive material. The Police Department’s pension fund is sending out letters to the 80,000 potential victims, warning them of what happened and offering help if their identities are stolen.
Bonelli, 46, served as the fund’s director of communications but didn’t have authorized access to the site, at an undisclosed Staten Island location, where the backup data was kept on VHS-like tapes. Sources said he managed to get past a guard on Feb. 21, unplugged video cameras, and left with the stolen tapes. The NYPD sent technology specialists to the site, where they discovered that the cameras had been disabled and the tapes were missing. The tapes were found at Bonelli’s home when he was arrested, police said. He was charged with computer trespass, burglary and grand larceny. Bail was set at $2 million.
“This individual was not authorized to be there, yet the guard let him in,” Anthony Garvey, the fund’s executive director, told the Staten Island Advance. “We think it was poor judgment.” Once inside, Bonelli allegedly pulled the plug on the back office’s camera system before stealing the eight tapes.
The news article can be accessed at https://www.nypost.com/seven/03042009/news/regionalnews/nypd_civilian_worker_busted_in_mass_cop__157927.htm
The reported instance raises several issues that will be debated for sometime, but again cannot mask the human element that caused the breach. If there would have been more advanced physical control authentication systems other than flashing ID cards at security guards, then may be, the above incident could have been averted. Every chain is as strong as its weakest link is very apt here as a weak physical access control has resulted in a major breach of Data security.